How we're losing our privacy online

From personal photos circulated inadvertently on Facebook to ‘Web bugs’ that monitor our buying habits, the Internet is exposing the private us to the public more than any technology in history. Here’s why you should care – and how to avoid it.

Gail Heyman didn’t go on Facebook often. In March Mrs. Heyman, who lives in the Atlanta area, opened an account just to keep up with a few friends. She found herself rarely checking the social-networking site, letting days or even weeks slip by between visits.

But in late June, she received a phone call from a cousin. He had responded to what he thought was her emergency plea for money on Facebook and wired her $2,000 – in London. As he thought about it more, he decided to call her just to double-check.

Heyman, who was still in Georgia, was astounded. Someone had figured out her password, taken over her account, and posted the fraudulent request. “They told my [Facebook] friends that I had been mugged, and that I was in a hotel and that I needed money,” she says.

Her cousin was able to quickly contact Western Union and cancel the transfer before the money was picked up by the imposter in London. Heyman, still a little shaken, hasn’t reopened her Facebook account but hopes to get back online in the future. “It’s made me think differently about doing things online,” she says.

The infiltration of Heyman’s account is the most egregious form of an invasion of personal privacy that is becoming one of the most pressing issues of the Digital Age. As we live more of our lives online, entrusting our most private information to social networks and other Web-based entities, the Internet is becoming our primary means of communication, as well as our filing cabinet; our shoebox to store photos, videos, and letters; and our safe-deposit box of valuable documents.

Not very, according to a growing number of experts. As we slip further into the Internet era, they argue that we are every day surrendering more of the private us to the public domain. Much of it is innocuous. We send a friend an edgy joke by e-mail, which gets passed around until, at some point, our sense of humor ends up getting deconstructed by half the population of Moldova.

Much of it is just annoying. We go online to buy something and a “Web bug,” a software program that monitors our purchases, develops a profile of our buying habits that is sold to businesses. Suddenly, our inbox is flooded with daily pitches for self-coiling garden hoses and mail-order beef from New Zealand.

Some of it is harmful, such as the theft of Heyman’s identity or the photograph we posted on a personal website, thinking it was funny, but, 10 years later, comes back to haunt us in a job interview.

All this may be the price we pay for progress. The Internet, after all, is an incredible force for good, bringing unlimited information and potential for communication at the tap of a keyboard. Isn’t a little loss of privacy worth being able to do so much online? As Scott McNealy, a cofounder of Sun Microsystems, put it famously 10 years ago: “You have zero privacy anyway. Get over it.”

Yet many people don’t want their lives to be so transparent just because they use the Web to shop, socialize, and pay a few bills. To them, the erosion of privacy in the Internet Age poses a threat to our emotional and financial well-being, as well as our basic dignity as human beings.

“Over and over again, our eagerness to exchange privacy for connection is abused – by law enforcement, by teachers and admissions officers and coaches, by employers, and by faceless corporations,” writes Hal Niedzviecki in “The Peep Diaries: How We’re Learning to Love Watching Ourselves and Our Neighbors.”

PRIVACY, OF COURSE, IS something that humans have been losing since the first cave dwellers drew depictions of each other on stone walls. Modern technologies have further narrowed the parameters of discreetness: Remember those rotary phones with the party lines and the nosy neighbor who would listen in?

Then there is the camera, the telephoto lens, and the cellphone with a camera. Everyone seems to be watching: In the name of catching criminals, governments now monitor our movements with surveillance cameras mounted on street corners. Employers can read our e-mail. When we go through an electronic toll with our E-Zpass, a record of our movements exists that might one day be used in a divorce case.

The Internet, in fact, has the potential to expose more of our private information to the public than any technology in history. Part of this is just the nature of the medium. While much knowledge about you has always been publicly available, it was much harder to find in the dusty back room of a library or government archive, or in letters stuffed away in a desk drawer. Today much of this information can be found anywhere in the world at the click of a mouse.

Despite all the talk today about teens who put embarrassing pictures or other highly personal information online, most people aren’t abandoning their desires for privacy. Mostly, they’re making what they think are conscious trade-offs – exchanging information about themselves in discreet amounts and for specific reasons, such as to join a website or conduct a business transaction.

But, more troubling, they’re giving away information about themselves without realizing just how much is being collected and shared. People disclose far more than they know – information that can be gathered here and there like so many bread crumbs that together provide a feast of data.Take Joel Reidenberg and his class at Fordham Law School in New York. Each year, Professor Reidenberg gives his students an assignment to show how public our lives are in the Digital Age. He has them find out everything they can about a person. The only stipulation: The information has to be available free of charge, online.

This year’s subject was Supreme Court Justice Antonin Scalia, who has said that the Constitution provides little right to privacy, including online.What might the students have checked? Databases for municipal and county governments, which increasingly put their record keeping online; tax and voter registration information; mortgage details, including how much someone owes a lender. In some counties, the actual layout of each person’s house is available online. Google offers street views and satellite imagery of homes. Alumni newsletters from a college contain a host of personal information.

News stories in local newspapers are another rich source, as are published birth and death notices. Wedding announcements are a great way to learn maiden names, which lead to a lode of new information.

In short order, the class worked up an impressive 15-page dossier on the justice (which Reidenberg says will not be made public), including his home address, home phone number, his wife’s e-mail address, the movies he liked – even his favorite foods.

“Information that may be disclosed publicly for valid, great reasons in discreet bits and pieces has a whole different meaning when you begin to compile and assemble it for a purpose that is very different from the one for which it was first disclosed,” Reidenberg says.

And these were just curious students. Imagine if it were someone snooping around the Internet who does this for a living.

“Things that 10 years ago as a private investigator I had to conduct a very, very in-depth investigation to get, people now consensually put online,” says Steven Rambam, director of Pallorium, Inc., a New York-based investigative firm. “And I mean everything” – name, address, age, religion, sexual orientation, politics, drug use, what you read, what you eat, what music you listen to.

As Mr. Rambam notes, many people willingly give out personal information. It’s just that the number of people who see it sometimes ends up being far bigger than they expected or imagined.

Consider the current “I Ching” of social contact online – Facebook. Only five years old and originally conceived as a product for college students, Facebook now has more than 250 million members worldwide and is still growing fast.

“People want to reveal, they want to be known, they want to be seen,” Mr. Niedzviecki says. At the same time, he adds, “The pendulum has swung too far toward loneliness and isolation, and we’re using, ironically in many ways, these suddenly emerging social media to try to recapture the feeling that we once had” when people lived in small towns.

Most people, to be sure, are careful about what they post on Facebook. Many are like Ayesha Aleem, a graduate student in journalism at Boston University. She lists a fair amount of personal information on her page – favorite movies and music, education and work background, e-mail and blog addresses – but she won’t put anything that someone can’t find out by simply Googling her name.

She doesn’t list her age. She doesn’t post religious or political views. No home address. No phone number. “My policy is if it’s up on the Internet, it’s public information,” she says. “You can’t blame people for accessing your information. If you don’t want that happening, don’t put it up in the first place.”

Masooma Hussain, who works with a legal advocacy group in Washington, D.C., draws a tighter line. With the increasing visibility of everyone’s profile online, she has decided to share less and less information. Nothing about her job. No phone numbers. She’s thinking of taking down the few photos she has up because it’s so easy for people to download pictures of her from another person’s profile.

“I don’t want people to have immediate access to me,” she says. “It’s a bit creepy knowing that some complete stranger may know who your family and friends are before you’ve even met the person.”

Sir John Sawers, the incoming head of Britain’s secretive spy agency, MI6, can certainly sympathize with that sentiment. In July, a British newspaper reported that Sir John’s wife put details about the family onto her Facebook page. Lady Sawers, who failed to use even basic privacy settings, disclosed the location of the couple’s apartment in London and the whereabouts of their children and his parents, making that information available to as many as a quarter-billion people. One photo showed Sir John, currently Britain’s ambassador to the United Nations, clad unflatteringly in Speedo swim trunks.

Other private revelations on Facebook are less inadvertent and far more costly. Last fall, photos of an 18-year-old cheerleader for the New England Patriots football team appeared on Facebook that showed her posing next to a passed-out man covered in offensive graffiti, according to several news accounts. The photos apparently were taken during a Halloween party at a local college. The Patriots fired her.

Everyone has heard accounts of the college athlete who was drinking and captured on a cellphone camera, only to be kicked off the team; of the person whose private medical records inexplicably became public; of the stolen identity, like Heyman’s. These tend to be the relatively rare breaches.

Yet experts worry about ones that are far more common, even if less insidious. Consider “behavioral advertising.” It occurs when information about the online activities of people is gathered surreptitiously in order to target ads at them. One chief culprit is Web bugs, tags that track users as they move from website to website. They help compile a profile of what a person’s likes and dislikes are, which can then be sold to companies. A study at the University of California, Berkeley released in June showed that all of the top 50 most-visited websites had between 1 and 100 Web bugs embedded in them when checked over one month. Google alone had placed a Web bug on 92 of the top 100 sites.

THE QUESTION IS, HOW do we keep using the Internet while maintaining some curtain of privacy around our cyber glass house? The easiest answer would be to simply become a Luddite – don’t go online at all. But that seems impractical, even irrational, in a wired world.

In fact, some experts worry that if people become too paranoid about online privacy, it could have deleterious effects. “We need to be able to trust a bank not only with our money but with our information,” says Helen Nissenbaum, a professor of media, culture, and communication at New York University.

As a start, many people are trying to ensure some level of privacy by putting more starch in the ubiquitous “terms of service” agreements. These are the policies we regularly encounter when signing up for websites, which usually include promises of safeguarding privacy.

The problem is most people just hit “accept” and don’t read them. Those who do usually wish they didn’t. It’s as if they’re written in Urdu. Nor do the agreements always disclose the ramifications of the privacy people are giving up.

Under pressure from the Federal Trade Commission and private groups, companies are trying to clean up the cyber Sanscrit. One industry group, which includes AT&T and America Online, is designing new privacy notices.

This summer, Facebook announced it would change its privacy policy to give users a simpler way to control who sees information users share. It’s probably a good thing: In July, government privacy commissioners in Canada and Australia charged that Facebook was not doing enough to protect users and potentially violating privacy laws.

“Let’s make it easier for folks to act in the way they want to act,” says Jules Polonetsky, co-chairman and director of the Future of Privacy Forum, a Washington, D.C.-based think tank underwritten by companies such as AT&T, AOL, Intel, eBay, and Facebook. “Yes, I can make a silly joke to my friend. It can be easily watched by my friends, but I can easily make it go away if I need to.”

Advertisers are reacting to criticisms, too. Earlier this summer, four leading advertising trade associations announced they would recommend that their members direct users to a site where they could learn what information had been collected on them, how it was being used, and opt out if they wished.

Some people are suggesting a different way to protect against such surreptitious monitoring – digital decoys. Ms. Nissenbaum and one of her graduate students has developed a downloadable program for Web browsers called “Track Me Not.” It automatically sends out massive numbers of fake search queries so the real search is hidden in the chaff, which would prevent a Web bug from compiling information about surfing patterns.

Another program, called “Vanish,” being developed at the University of Washington, makes e-mail messages unreadable after a period of time, preventing them from being stored indefinitely.

In the end, the surest way to protect our privacy might be societal indifference. In the early 1990s, Bill Clinton’s admission of marijuana use as a youth triggered a mini-scandal. Barack Obama’s admission of youthful drug use in 2007 hardly drew a talk-show tantrum. People seem more forgiving today.

In that vein, maybe that photo we once posted online of us dancing on the tabletop, thinking it was funny, won’t come back to embarrass us decades later. As Patricia Abril, a law professor at the University of Miami, puts it: “Maybe we’ll be more accepting.”In other words, maybe we’ll all just get over it.